IEEE C802.16m-08/881r4 Project Title

advertisement
IEEE C802.16m-08/881r4
Project
IEEE 802.16 Broadband Wireless Access Working Group <http://ieee802.org/16>
Title
Elliptic Curve Cryptography Authorization and Key Agreement for IEEE 802.16m
Date
Submitted
2008-09-17
Source(s)
Ranga Reddy US Army
DJ
Shyy MITRE
Sheng Sun Nortel
E-mail:ranga.reddy@us.army.mil
E-mail:djshyy@mitre.org
E-mail:shengs@nortel.com
*<http://standards.ieee.org/faqs/affiliationFAQ.ht
ml>
Re:
MAC/Security: in response to the Tgm Call for Contributions and Comments 802.16m-08/033
for Session 57
Abstract
Elliptic Curve Cryptography (ECC)-based authorization is computationally and resource-wise
more efficient that RSA-based authorization currently used in IEEE 802.16-based networks. In an
effort to optimize system operation and resource utilization, it is suggested that ECC-based
authorization be incorporated into IEEE 802.16m.
Purpose
Review contribution, discuss, and consider incorporation of text into IEEE 802.16m SDD
Notice
This document does not represent the agreed views of the IEEE 802.16 Working Group or any of
its subgroups. It represents only the views of the participants listed in the “Source(s)” field above.
It is offered as a basis for discussion. It is not binding on the contributor(s), who reserve(s) the
right to add, amend or withdraw material contained herein.
Release
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in
this contribution, and any modifications thereof, in the creation of an IEEE Standards publication;
to copyright in the IEEE’s name any IEEE Standards publication even though it may include
portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in
whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and
accepts that this contribution may be made public by IEEE 802.16.
Patent Policy The contributor is familiar with the IEEE-SA Patent Policy and Procedures:
<http://standards.ieee.org/guides/bylaws/sect6-7.html#6>
and
<http://standards.ieee.org/guides/opman/sect6.html#6.3>.
Further information is located at <http://standards.ieee.org/board/pat/pat-material.html> and
<http://standards.ieee.org/board/pat>.
1
IEEE C802.16m-08/881r4
Elliptic Curve Cryptography-based Authorization
& Key Agreement for IEEE 802.16m
Ranga Reddy
US Army
DJ Shyy
MITRE
Sheng Sun
Nortel
1. Introduction
RSA cryptography generates keys by taking two large prime numbers. The inherent security is in the difficultly
of recovering this key via factorization of large integers. It is generally accepted that RSA keys should be a
minimum of 1024 bits. Discrete logarithm cryptography (DLC) is another area of cryptography where security
is provided by difficulty in solving logarithmic equations over large finite groups. ECC is a subset of DLC,
where the discrete logarithm solution over an equation (plane curve). The elliptic curve equations can over
finite groups on prime fields (Fp) or binary fields (F2m). For prime fields, where p is a large/odd prime > 3,
curves are of the form y2 = x3 + a*x + b. For binary fields, the order of the field is a power of 2, the curves are
of the form y2 + x*y = x3 + a*x2 + b.
ECC keys can be smaller than RSA keys, because it is believed that the solution to a discrete logarithm is
fundamentally more complex than the factorization of large integers. For example, the ECC key size equivalent
of a 1024 bit RSA key is 160 bits [3]. Table 1 [6] and Table 2 [7] shows some (practical) performance data for
ECC and RSA operations (ECDSA is the ECC equivalent of DSA). The measurements were executed on 8bit
Atmel Atmega128-series microcontrollers.
Algorithm
Signature
Key Exchange
Sign
Verify
Client
Server
RSA 1024
304
11.9
15.4
304
ECDSA 160
22.82
45.09
22.3
22.3
RSA 2048
2302.7
53.7
57.2
2302.7
ECDSA 224
61.54
121.98
60.4
60.4
Table 1: Energy cost of digital signatures
and key exchange computations (mJ) [6]
2
IEEE C802.16m-08/881r4
Operation Time [s]
Speedup
(ECC:RSA)
RSA 1024
10.99
1
ECC 160
0.81
13.6
RSA 2048
83.26
1
ECC 224
2.19
38
Table 2: Operation speedup [7]
Currently RSA-based authorization, or RSA + EAP authorization/authentication is supported in 802.16
networks [1]. The X.509 certificates have RSA encryption keys, between 1024 and 2048 bits. We propose to
add elliptic curve cryptography (ECC)-based authorization to the suite of security protocols in IEEE 802.16m.
This requires the use of ECC-based X.509 certificates that support key lengths of 160 - 224 bits. The structure
of the certificates will have to be adjusted to match ECC requirements, and a new CA capable of supporting
X.509-based ECC certificates will have to be created [8]. The ECC authorization should be added to the
cryptographic suite of protocols and should be the preferred method, while maintaining use of RSA
authorization for legacy MS.
2. Text Proposal
[---------------------------------------------------Start of Text Proposal--------------------------------------------------]
12 Security
[Insert the following subsection into Section 12]
12.x Authorization, Authentication Procedures
[Insert the following subsection into Section 12.x Authorization, Authentication Procedures]
12.x.x Authorization via ECC/RSA-based Authentication
[Insert the following text into subsection 12.x.x Authorization via ECC/RSA-based Authentication]
In addition to the current RSA-based authorization within the PKM protocol, Elliptic Curve Cryptography
(ECC)-based authorization will be employed. Certificates that are used to support ECC- and RSA-based
authorization shall followthe X.509 and 802.1AR specifications. For ECC-based public key and signature,
procedures will be amended to make use of Elliptic Cure Diffie-Hellman (ECDH) key agreement specified in
[ANSI X9.63] and Elliptic Curve Digital Signature Algorithm (ECDSA) [ANSI X9.62] as the authentication
mechanism.
[Insert the following subsection into Section 12]
12.y Cryptographic Methods
[Insert the following subsection into Section 12.y Cryptographic Methods]
12.y.y Public-key encryption of AK & Digital Signatures
[Insert the following text into subsection 12.y.y Public-key encryption of AK & Digital Signatures]
When AKs are transported from BS to SS, AKs in Auth Reply messages shall be encrypted by either RSA or
ECC generated public-key.
3
IEEE C802.16m-08/881r4
ECC will use curves over prime fields, where the order of the field is no less 160 bit prime and no greater than
224 bit prime. Example curves are listed in Appendix J, Section J.5.1 thru J.5.3 in ANSI X9.63-2001. These
examples can be used, but it is recommended that when creating certificates manufacturers calculate their own
base points.
[---------------------------------------------------End of Text Proposal--------------------------------------------------]
3. References
[1] "Draft Standard for Local and Metropolitan Area Networks, Part16: Air Interface for Broadband Wireless
Access Systems", IEEE P802.16 Rev2/D6, July 2008.
[2] Hamiti, Shkumbin, "The Draft IEEE 802.16m System Description Document", IEEE 802.16m-08/003r4,
July 2008.
[3] Barker, Elaine, et al., "Recommendation for Key Management - Part 1: General (Revised)", NIST Special
Publication 800-57, March 2007.
[4] Barker, Elaine, et al., "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete
Logarithm Cryptography (Revised)", NIST Special Publication 800-56a, March 2007.
[5] American National Standards Institute, "American National Standard for Financial Services X9.63-2001:
Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using
Elliptic Curve Cryptography", ANSI X9.63-2001, November 2001.
[6] Wander, A.S., et al., “Energy Analysis of public-key cryptopgraphy for wireless sensor networks”, Third
IEEE Conference on Pervasive Computing and Communications (PerCom), pg's 324 – 328, March 2005.
[7] Eberle, Hans, "Accelerating Next-generation Public-key Cryptography on General-purpose CPUs", Hot
Chips 16, http://www.hotchips.org/archives/hc16/3_Tue/2_HC16_Sess6_Pres2_bw.pdf, August 2004.
[8] Cano, M.-D., etc al., "A Certification Authority for Elliptic Curve X.509v3 Certificates", IEEE Third
International Conference on Networking and Services, pg 49, June 2007.
[9] “Standard for Local and Metropolitan Area Networks: Secure Device Identity”, IEEE P802.1AR Draft 1.6,
June 2008.
4
Download